A Highly Targeted Industry With A Highly Vulnerable Supply Chain
As India’s financial prowess grows in unison with its expanding role as a world superpower, the country’s BFSI industry faces increased scrutiny… from customers, from regulators and from cyberattackers. In DSCI’s India Cyber Threat Report 2025, BFSI comes in the Top 3 most targeted industries, making up 17.38% of reported attacks.
To effectively handle sensitive financial data, many institutions have to incorporate a wide range of third-party solutions ranging from cloud storage to data processing to cybersecurity. Unfortunately, this complexity has given attackers a way in – according to India’s Financial Supply Chain: Cybersecurity Threat Report 2025 by SecurityScorecard, 95% of India’s top financial institutions were linked to a third-party data breach in the past year.
It has become a widespread problem, and to combat it, RBI has recently released the Reserve Bank Of India (Non-Banking Financial Companies – Managing Risks in Outsourcing) Directions, 2025, with timelines coming into immediate effect for organizations under its purview.
Which Organizations + What Types Of Services Come Under These Directions?
The exhaustive set of new regulations apply to the following categories of NBFCs:
- NBFCs permitted to accept public deposits (NBFC-D)
- Investment & Credit Companies (NBFC-ICC)
- Factoring companies (NBFC-Factor)
- Microfinance institutions (NBFC-MFI)
- NBFCs specialising in long-term infrastructure lending (NBFC-IFC)
- NBFCs set up specifically to refinance operational infrastructure projects (IDF-NBFC)
- Housing Finance Companies (HFC)
- Standalone Primary Dealers (SPDs)
- Credit Information Companies that collect, process and disseminate credit data (CICs)
- Digital peer-to-peer lending platforms (NBFC-P2P)
- Consent-based account aggregators that enable sharing of financial data (NBFC-AA)
For existing outsourcing contracts for these services, transition to the new directions is allowed until April 10, 2026. For any new outsourcing projects you are about to undertake for these services, the rules come into immediate effect.
End-To-End Governance Of The Supply Chain Cycle
The core objective of the new RBI Directions is to mitigate risk across the entire supply chain journey your enterprise has with all its service providers:
Due Diligence Before Selection Of Service Provider
To determine whether the service provider you are considering is right for the task at hand, RBI prescribes a thorough review of the provider in question when it comes to these following factors:
- Past experience & demonstrated competence for the task you have in mind for them
- Financial soundness & ability to service even under adverse conditions
- Business reputation & culture, including look-ins at complaints, potential litigation and any conflict of interest
- A look at the tech infrastructure stability of the provider, including data backup arrangements and disaster recovery plans
- Appropriate controls to ensure data protection and NBFC access to the data being used
- A look at independent reviews & market feedback on the provider in question
Outsourcing Contract With Service Provider
Once you have made the decision to go ahead with a particular service provider, a legally binding outsourcing agreement must be signed that includes but is not limited to:
- List of all the activities being outsourced, including SLAs for service & performance standards to be maintained
- NBFC access to all data, books, records, logs and alerts relevant to the outsourced service
- Details of how customer & NBFC data is captured, processed & stored, with compliance to IT Act & DPDP when it comes to protecting customer data & rights
- Contractual liability of service provider for performance & practices of its subcontractors
- Adherence to storage of data only in India
- Type of materially adverse events (data breaches, service unavailability) required to be reported to the NBFC
- Watertight exit strategy that includes orderly transfer to new service provider
- Compliance with RBI when it comes to new directions and potential inspections
Monitoring & Control Of Outsourced Activities
While the provider continues their activities, it is important to note that you as the NBFC are responsible for the confidentiality, integrity, preservation and protection of the information and customer data available to the service provider. This includes setting up perpetual processes on your part throughout the entire duration of the contract:
- Monitoring of performance, uptime of systems & resources, adherence to SLAs
- Regular audits that review security & compliance processes of the service provider, with emphasis on incident response and testing of business continuity
- Ensuring that access to customer data by the service provider is strictly on a ‘need to know’ basis
- If the service provider serves multiple entities, the NBFC must build strong safeguards to ensure no co-mingling or combining of assets
- When two or more service providers collaborate to create an end-to-end solution, the NBFC must monitor the control environments of all the providers involved
Incident Management In The Case Of Third-Party Breach
Even with all the safeguards set in place, a breach can always occur in this heightened attack landscape. In that case, a strict reporting timeline has to be maintained to mitigate damage:
- Service provider must immediately inform the NBFC once a breach has been detected The NBFC must report the incident to the RBI within 6 hours of detection by service provider
- Both must adhere to subsequent regulations by RBI while attempting to return operations back to normal as soon as possible
Business Continuity & Exit Strategy
A regularly tested, robust framework for business continuity & recovery must be maintained in cases of breaches and termination of service contract:
- In the case of a breach, viable contingency plans like reverting to backups, bringing activity back in-house or isolating NBFC records must be swiftly implemented.
- In the case of contract termination, a clear exit strategy must be formed that includes elements like smooth transition and prohibition of the service provider to erase, purge, revoke or alter data during the transition period.
Additional Directions For Specific Outsourcing Arrangements
In addition to the aforementioned requirements when it comes to service providers, RBI prescribes additional rules for specific cases:
Offshore Service Providers
If your enterprise goes with a service provider operating beyond Indian borders, special consideration has to be given to the following factors:
- Data localization of originals and processing only in Indian servers
- Management of precautionary measures related to the country & jurisdictional risk of the provider
- Availability of records to both the NBFC and RBI at all times
Outsourcing Of SOC Services
Should you decide to go with a service provider for your Security Operations Centre, like iValue’s industry-leading, 24×7 SOC, the following must be ensured on your part:
- Identification of asset owners used in providing the service (systems, software, source code, etc.)
- Adequate oversight & ownership over rule definition and customisation along with related data, logs, metadata & analytics
- Assessment of SOC functioning when it comes to handling alerts of events
- Full integration of SOC reporting & escalation process with previously mentioned RBI timelines
Outsourcing Of Cloud Services
For all cloud-based IaaS, PaaS and SaaS related services you are planning to outsource, additional oversight must be placed on all these security measures because of the increasing prevalence of cloud-based attacks:
- Container Security: A standard set of tools & processes must be maintained to manage containers, images and releases, with encryption keys and HSMs under the control of the NBFC.
- Multi-Tenancy Management: Since public and hybrid clouds deal with multiple clients, you must set up protective safeguards against co-mingling of data.
- Stringent Access Controls: Role-based least privilege access policies that implement segregation of duties must be maintained at all times, with strong MFA as a means of authentication. Best practices prescribed by RBI involve adherence to NIST SP 800-210 General Access Control Guidance For Cloud Systems.
- Threat-Intelligent Monitoring: In addition to integrating logs and events from your CSP into your SOC, you must continuously test exposures to vulnerabilities & threats based on the latest threat intelligence.
A Concerted, Enterprise-Wide Push To Ensure Directions Are Met
Considering all the processes your enterprise has to start building from the ground up to adhere to these directions, RBI also provides roles & responsibilities starting from the top level and filtering down to your IT teams:
Now, the question is: where does iValue fit into all of this? In addition to being a service provider for a wide variety of cutting-edge data security services that completely adhere to these directions, iValue is also a compliance partner for all enterprises looking to streamline implementation to all the regulations that apply to them (including all RBI and DPDP requirements). Our industry-renowned supply chain management services mix local expertise and leading automation to ensure 100% compliance at all times, so that your business can focus on what it does best.
